There is no rule of thumb about how often an employee’s performance should be appraised. Many organizations perform annual assessments, although some perform assessments twice a year. This is in addition to individual appraisals between employees and their managers.

The basis for these appraisals starts with the employee job description. When a job description does not include adherence to policies, it’s more challenging to implement security policies. When an employee intentionally violates any policy (including security policy), the matter can be treated as an HR issue; that is, regardless of the job description, there’s an expectation that an employee will follow established policies as a term of his or her employment.

However, if a job description does not include policy fulfillment, the employee could perceive it as someone else’s problem. This is particularly important given that many employees are overworked. They have constant limits on their time and resources. Too often in today’s challenging business climate there’s little or no mention of security policies during an employee’s appraisals. The exception is when a gross violation of policy or a major incident occurs. Minor violations may be overlooked. Even major security policy and control deployments may not be considered important. Security policy fulfillment is an abstract concept to many. Given a choice, most employees will focus on what their manager thinks is important instead of learning an abstract concept.

You learned earlier in the chapter how self-interest is a powerful motivator of behavior. When there’s no reward associated with promoting security policies, such activity competes with other interests. The unfortunate reality is that many times the effort given is the bare minimum. It’s not because executives or managers don’t believe it’s important. It’s because there’s little time and no perceived benefit.

There’s no easy answer on how to overcome this. If you can’t change job descriptions, you need to create a perceived benefit. The culture of compliance can help by creating peer pressure. Also, it’s useful to engage employees so they feel some ownership in the security policies’ success. This can be as simple as soliciting ideas for improvement and publicizing those suggestions selected. Provide public recognition for individuals who exhibit the desired behavior. This could be as simple as a thank-you letter from a top executive in the organization. In short, create a reward outside the job description.